Mercurial > dropbear
comparison svr-x11fwd.c @ 1229:a3e8389e01ff
Validate xauth input
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Wed, 09 Mar 2016 22:45:40 +0800 |
| parents | aaf576b27a10 |
| children | 428d83f2e5db |
comparison
equal
deleted
inserted
replaced
| 1200:9a944a243f08 | 1229:a3e8389e01ff |
|---|---|
| 40 | 40 |
| 41 static void x11accept(struct Listener* listener, int sock); | 41 static void x11accept(struct Listener* listener, int sock); |
| 42 static int bindport(int fd); | 42 static int bindport(int fd); |
| 43 static int send_msg_channel_open_x11(int fd, struct sockaddr_in* addr); | 43 static int send_msg_channel_open_x11(int fd, struct sockaddr_in* addr); |
| 44 | 44 |
| 45 /* Check untrusted xauth strings for metacharacters */ | |
| 46 /* Returns DROPBEAR_SUCCESS/DROPBEAR_FAILURE */ | |
| 47 static int | |
| 48 xauth_valid_string(const char *s) | |
| 49 { | |
| 50 size_t i; | |
| 51 | |
| 52 for (i = 0; s[i] != '\0'; i++) { | |
| 53 if (!isalnum(s[i]) && | |
| 54 s[i] != '.' && s[i] != ':' && s[i] != '/' && | |
| 55 s[i] != '-' && s[i] != '_') { | |
| 56 return DROPBEAR_FAILURE; | |
| 57 } | |
| 58 } | |
| 59 return DROPBEAR_SUCCESS; | |
| 60 } | |
| 61 | |
| 62 | |
| 45 /* called as a request for a session channel, sets up listening X11 */ | 63 /* called as a request for a session channel, sets up listening X11 */ |
| 46 /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ | 64 /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ |
| 47 int x11req(struct ChanSess * chansess) { | 65 int x11req(struct ChanSess * chansess) { |
| 48 | 66 |
| 49 int fd; | 67 int fd = -1; |
| 50 | 68 |
| 51 if (!svr_pubkey_allows_x11fwd()) { | 69 if (!svr_pubkey_allows_x11fwd()) { |
| 52 return DROPBEAR_FAILURE; | 70 return DROPBEAR_FAILURE; |
| 53 } | 71 } |
| 54 | 72 |
| 60 chansess->x11singleconn = buf_getbool(ses.payload); | 78 chansess->x11singleconn = buf_getbool(ses.payload); |
| 61 chansess->x11authprot = buf_getstring(ses.payload, NULL); | 79 chansess->x11authprot = buf_getstring(ses.payload, NULL); |
| 62 chansess->x11authcookie = buf_getstring(ses.payload, NULL); | 80 chansess->x11authcookie = buf_getstring(ses.payload, NULL); |
| 63 chansess->x11screennum = buf_getint(ses.payload); | 81 chansess->x11screennum = buf_getint(ses.payload); |
| 64 | 82 |
| 83 if (xauth_valid_string(chansess->x11authprot) == DROPBEAR_FAILURE || | |
| 84 xauth_valid_string(chansess->x11authcookie) == DROPBEAR_FAILURE) { | |
| 85 dropbear_log(LOG_WARNING, "Bad xauth request"); | |
| 86 goto fail; | |
| 87 } | |
| 65 /* create listening socket */ | 88 /* create listening socket */ |
| 66 fd = socket(PF_INET, SOCK_STREAM, 0); | 89 fd = socket(PF_INET, SOCK_STREAM, 0); |
| 67 if (fd < 0) { | 90 if (fd < 0) { |
| 68 goto fail; | 91 goto fail; |
| 69 } | 92 } |
| 157 if (val < 0 || val >= (int)sizeof(display)) { | 180 if (val < 0 || val >= (int)sizeof(display)) { |
| 158 /* string was truncated */ | 181 /* string was truncated */ |
| 159 return; | 182 return; |
| 160 } | 183 } |
| 161 | 184 |
| 162 /* popen is a nice function - code is strongly based on OpenSSH's */ | 185 /* code is strongly based on OpenSSH's */ |
| 163 authprog = popen(XAUTH_COMMAND, "w"); | 186 authprog = popen(XAUTH_COMMAND, "w"); |
| 164 if (authprog) { | 187 if (authprog) { |
| 165 fprintf(authprog, "add %s %s %s\n", | 188 fprintf(authprog, "add %s %s %s\n", |
| 166 display, chansess->x11authprot, chansess->x11authcookie); | 189 display, chansess->x11authprot, chansess->x11authcookie); |
| 167 pclose(authprog); | 190 pclose(authprog); |